@chickendog I've been looking at this for a while and I believe that is indeed the case. Thanks for confirming.

I too have had this issue today.
The ssh session hung at "Stopping Tailscale"
I found a "reboot" from shell worked.

Has anyone found a fix to stop this?

https://redmine.pfsense.org/issues/15673

Feature Request Is Now Open

@mfld my guess would be you have magicdns enabled

https://tailscale.com/kb/1081/magicdns

I think they changed that to be default enabled a while back, use to be off by default. So depending on when you created your tailscale account?

I do not have enabled.. Makes no sense when you run your own dns.

@ericreiss

That's why have I have IPSec as a fail safe backup.

@Swiss-army-knife-of-tech

I had this same issue. I ended up solving it by turning on

"Strict Interface Binding" on the DNS Forwarder service.

@banosr said in Tailscale site to site, am I missing something?:

Thanks for all your help, I finally was able to fixit. My modem was assigning a private address to the wan port, I just needed to unblock private addresses in the wan.

Good to hear 👍

OK Craig at Netgate was kind enough to respond directly to me on this. Evidently this is a bug caused by assigning Tailscale to an interface, which seemed to me like a thing that should be done, but is not the case.

https://redmine.pfsense.org/issues/14780

TS has been especially bad behaved today, not resolving names etc.
So bad in fact that I switched to OpenVPN

Not sure why 😞

@cmcdonald

Hi, I wondered if you might add a little more explanation of why it's better to disable Tailscale DNS, especially in the case where subnets are advertised and the pfSense node is an exit node.

Thanks.

@chudak

Well, I am also running KEA and resetting Tailscale as above has worked for three restarts for me.

I'm not sure that whatever lead to this issue has anything to do with KEA.

bump

Nobody uses ACLs ?

@bthoven I found that using Virtual IP for my home.mydomain.com was the issue. Instead, using LAN interface IP (for my pfSense setup--> 192.168.1.1) has solved the problem.